On Accuracy in Cybersecurity

I have a new article on how to address questions of accuracy in cybersecurity up on SSRN. It’s titled Schrödinger’s Cybersecurity; here’s the abstract:

Both law and cybersecurity prize accuracy. Cyberattacks, such as Stuxnet, demonstrate the risks of inaccurate data. An attack can trick computer programs into making changes to information that are technically authorized but incorrect. While computer science treats accuracy as an inherent quality of data, law recognizes that accuracy is fundamentally a socially constructed attribute. This Article argues that law has much to teach cybersecurity about accuracy. In particular, law’s procedural mechanisms and contextual analysis can define concepts such as authorization and correctness that are exogenous to code. The Article assesses why accuracy matters, and explores methods law and cybersecurity deploy to attain it. It argues both law and cybersecurity have but two paths to determining accuracy: hierarchy, and consensus. Then, it defends the controversial proposition that accuracy is constructed through social processes, rather than emerging from information itself. Finally, it offers a proposal styled on the common law to evaluate when accuracy matters, and suggests that regulation should bolster technological mechanisms through a combination of mandates and funding. Like the cat of Schrödinger’s famous thought experiment, information is neither accurate nor inaccurate until observed in social context.

Cite: Derek E. Bambauer, Schrödinger’s Cybersecurity, 48 UC Davis Law Review (forthcoming 2014).

 

ACLU Challenges Arizona Revenge Porn Law

The ACLU, ably assisted by Dentons US LLP, has filed a challenge to Arizona’s revenge porn law in federal district court (complaint, ACLU blog, WIRED story). This is great news for Arizonans: the bill was terribly drafted and unconstitutional from the moment it was signed into law. Fighting revenge porn is important, but as Arizona is about to learn, you don’t get to trample the Constitution even in the service of a good cause. (Here’s my earlier post on the law.)

Icanhazjurisdiction?

Alan Trammell and I have a new article coming out on the problems of personal jurisdiction analysis when it involves Internet contacts. (The title is Personal Jurisdiction and “teh Interwebs”; I tried very hard to convince Alan to go with the title of this post, to no avail.) Abstract is below; we’d love your comments and thoughts.

For nearly twenty years, lower courts and scholars have struggled to figure out how personal jurisdiction doctrine should apply in the Internet age. When does virtual conduct make someone amenable to jurisdiction in any particular forum? The classic but largely discredited response by courts has been to give primary consideration to a commercial Web site’s interactivity. That approach distorts the current doctrine and is divorced from coherent jurisdictional principles. Moreover, scholars have not yielded satisfying answers. They typically have argued either that the Internet is thoroughly exceptional and requires its own rules, or that it is largely unexceptional and can be subject to current doctrinal tests. 

The difficult relationship between the Internet and modern personal jurisdiction doctrine is a symptom of a much larger problem. We argue that the Supreme Court’s current approach has bifurcated physical and intangible harm. Viewed through that lens, the overarching problem comes into focus because rules that sensibly govern the physical world apply awkwardly — sometimes incoherently — to intangible harm. Accordingly, we propose a return to personal jurisdiction’s first principles, particularly a concern for fairness and predictability. We argue that courts should dispense with the fiction that purely virtual conduct creates any meaningful contact with a particular forum. The narrow approach that we advocate likely will restrict the number of places where a plaintiff can sue for intangible harm, but through three test cases we demonstrate why such a rule will enhance fairness and predictability while also ensuring sufficient access to justice.

Cite: Alan M. Trammell & Derek E. Bambauer, Personal Jurisdiction and “teh Interwebs,” 100 Cornell Law Review (forthcoming 2015).

Why Aren’t “Hacked” Celebrities Filing Takedown Notices?

Writing today in Slate, Emily Bazelon complains that the law does not do enough to protect the privacy rights of celebrities whose accounts were illicitly “hacked” last weekend, resulting in the release of unauthorized nude photos the celebrities apparently took of themselves. Bazelon contrasts what she characterizes as the celebrities’ inability to remove their objectionable content from third-party Web sites with the much easier time that big movie studios have getting their works removed from YouTube. She writes:

Every day, movie and TV producers succeed in getting videos that have been posted without their consent taken down from major websites. Sure, you can still find pirated stuff if you look hard enough. But the big sites take down content once they know it’s been posted in violation of copyright. Because if they don’t, they’ll be sued—and no one will care if they defend the publication of stolen materials, in the name of free speech or otherwise.

Yet in the days since Jennifer Lawrence and other celebrities discovered that their nude images were stolen, and then posted without their consent on sites like Reddit and 4Chan, the stars can’t get the images taken down.

But that’s just not so. The law already provides precisely the same safeguards for the celebrities that it does for the movie and TV producers: as the creators (and copyright holders) of works posted online without their permission, they are statutorily entitled under 17 U.S.C. § 512(c) to insist that the hosting web sites remove, or disable access to, that content. Further legislation is unnecessary; all that is necessary for the injured parties to disable access to all the “hacked” photos is to follow the notice-and-takedown procedure specified in Section 512.

The problem is not, as Bazelon argues, that Section 230 of the Communications Decency Act (“CDA”) immunizes the web sites’ unauthorized display of the “hacked” photos. (To the contrary, those sites have apparently already removed some of the leaked content whose distribution violates federal law.) By its express terms [in paragraph (e)(2)], Section 230 provides absolutely no immunity to service providers accused of violating copyright law. Thus, the CDA interposes no bar to the use of Section 512′s notice-and-takedown regime under the present circumstances.

There are real issues raised by the “hacking” scandal, but the big ones are social/cultural, not legal. Posting content created by other people is already punishable both civilly and criminally, and the means to disable online access to such content are already in place. Whether it is fair to require individuals whose privacy has been invaded to avail themselves of their Section 512 rights in order to prevent further invasions is a separate question, but the problem is not, as Bazelon portrays it, the lack of appropriate legislation.

(Of course, Derek has already treated this issue, and responds presciently to the Section 230 objection, elsewhere. Happily for his analysis, the thornier IP problems involved in the repugnant “revenge porn” scenario, where the injured party and the copyright holder may not be the same person, are not present in the context of the hacked celebrity “selfies.”)

Mod a Game Console, Go to Jail

I’ve been puzzling over the 6th Circuit’s new opinion in United States v. Reichert (No. 13-3479, Mar. 28, 2014), in which a divided panel affirmed a defendant’s criminal conviction for violating the Digital Millennium Copyright Act’s anti-trafficking rule (17 U.S.C. § 1201(a)(2)) based on the defendant’s sale of a “modded” video game console to an undercover federal agent.

It’s a confusing opinion. Part of the confusion may have to do with my relative unfamiliarity with criminal law; most of the majority’s opinion is devoted to explaining why the defendant’s violation met the “willfulness” mens rea standard of 17 U.S.C. § 1204(a) despite the defendant’s apparent ignorance of the DMCA. I personally find troubling the court’s characterization of “willfulness” as permitting conviction based on proof that the defendant “deliberately ignored a high probability that he was trafficking in technology” that the DMCA in fact forbids (irrespective of whether the defendant knew that the DMCA forbid such trafficking), which seems to me inconsistent with United States v. Liu, 731 F.3d 982 (9th Cir. 2013), a case that engaged in a much more careful analysis of copyright’s criminal mens rea requirements than does the Reichert panel. But perhaps I’m misreading the court’s opinion on this point; criminal law isn’t my specialty.

My more basic problem is that, quite apart from the mens rea issue, I am having a hard time understanding the underlying DMCA claim. Read more…

Cybercrime’s International Challenges

Jane and I are in Cluj-Napoca, Romania, for a conference titled “Crimes, Criminals, and the New Criminal Codes: Assessing the Effectiveness of the Legal Response” at Babes-Bolyai University. Jane is speaking on “Surveillance in a Technological Age: The Case of the NSA,” and I’m giving a talk based on my forthcoming article Ghost in the Network. I’ll post updates from time to time – one thing I’ve just learned is that Ramniciu Valcea, Romania, is known as “Hackerville” because it has become what Francesca Bosco of UNICRI calls the “Silicon Valley of organized crime.”

Updates

  • Straight out of “The Wire“: organized crime hacked systems at the Port of Antwerp to smuggle drugs into the country in shipping containers without detection.
  • Reminder from Jane: FISA doesn’t protect non-U.S. persons who are abroad, and never has.
  • Jane: there is exactly one criminal case where a defendant has received notice that information developed under a FISA order is being used against him/her. (Of course, that’s because the government routinely lies about this.)
  • Giovanni Ziccardi on hate speech: pure cybercrimes are unusual – the real action is in the linkage between “old” crimes and use of computers. In 20 years (1993 – 2013), Italy had 72 unauthorized access cases, 7 virus cases, and 17 about attacks on critical systems (at the country’s 1st and 2nd level courts).
  • Ziccardi: Italy’s draft law 2195 bans Internet anonymity. Appears to have been drafted by squirrels and starlets [my summary].
  • John Vervaele: The EU has only one mechanism for forcing member states to comply with basic standards for human rights – suspending that state’s membership rights. It’s too strong a remedy to be effective in ensuring the rule of law, since the EU is reluctant to deploy it.

Formalism and Slow Victories in “Saving the Neighborhood”

We’re fewer than 24 hours away from seeing Carol Rose and Richard Brooks at a conference at the University of Arizona James E. Rogers College of Law, titled “Saving the Neighborhood,” after their new book. (Spaces still available! Register here.) I posted about the information law aspects of racial covenants here (cross-posted by Jane at Balkinization). Today I want to discuss briefly two additional aspects of the book that I found thought-provoking and counterintuitive: formalism, and slow victories.

On formalism: Rose and Brooks argue that relying on real property law as a mechanism for enforcing racial segregation in housing was risky. It was a gamble because even Southern courts – no friends of integration, as they would show in the full-bore resistance to ending school segregation and to prohibiting Jim Crow laws – were skeptical of the devices. Particularly in the pre-Lochner era, the courts evinced a formalistic understanding of property, and of the need (perhaps even of a constitutional dimension) to prevent governmental interference with property rights. The whole point of racial covenants was to operate as a restraint upon alienation – a restraint that might take considerable effort to evade or remove. The ability to dispose of one’s property as one sees fit is at the heart of classical property theory, checked by policing against externalities (such as pollution) by courts. Courts turned down efforts to limit integration through nuisance lawsuits (via formal conceptions of “use,” which did not include mere status of the purchaser) and through zoning. When homeowners turned next to covenants, they did not have certainty that those deed restrictions would be enforced if challenged.

I find fascinating the clash of goals that was taking place in front of the courts adjudicating nuisance, zoning, and covenant suits. The homeowners or municipalities wanted to enforce segregation against opportunists and defectors (not to mention minority buyers). Doubtless the judges hearing the cases were sympathetic. But they had a different normative ordering: segregation, while certainly appealing, had to be weighed against jurists’ commitment to particular views of property and of constitutional rights. And at least in the case of zoning and nuisance, segregation yielded: protecting a particular, formal conception of property loomed as the more important consideration. For me, this usefully complicated my perception of the court system during this period. My mental model was of the Alabama Supreme Court during the civil rights era – say, during the back-and-forth with the U.S. Supreme Court in NAACP v. Alabama. Judges’ motives and goals encompassed far more than simply defending segregation against all comers, and there were times when countervailing values – such as restraint upon governmental intrusion, or a particular model of real property – prevailed over race-based goals. That I found surprising.

On slow victories: the NAACP, despite a string of defeats, continued to attack racial covenants on the theory that their enforcement constituted state action. This strategy flew in the teeth of the prevailing legal wisdom, which was that these arrangements constituted classic private law, carrying no constitutional implications. In Shelley v. Kraemer, the NAACP’s theory was vindicated – a triumph for equal protection, for integration, and for legal realism, all at once. But it struck me how counterintuitive and edgy this strategy was. The NAACP risked accumulating a string of unfavorable precedents, perhaps even capped by a Supreme Court decision that was, along the lines of Plessy v. Ferguson or Bowers v. Hardwick, a seminal defeat. My own tendencies are far more conservative: you have to pick your spots, and once a theory seems like a consistent loser, you abandon it. The NAACP believed in their vision, as both a legal and moral imperative, and they were proved right. Sometimes you have to lose for a while to win. This seems to have modern resonance: the litigation strategy for marriage equality confronted a string of bad precedent and unfavorable politics, and I was deeply worried when the Supreme Court granted cert in both Windsor and Perry. There, too, the plaintiffs proved that the moral arc of the universe is sometimes shorter than we think – and still bends towards justice.

“Saving the Neighborhood” forces us to re-examine long-held assumptions about racial covenants, housing segregation, clashes of norms over race, and the risks of bold litigation strategies. For that, I’m indebted to Carol Rose and Richard Brooks.

Arizona: How Not To Combat Revenge Porn

Arizona House Bill 2515 seeks to criminalize revenge porn. The only small problem: the proposed statute is blatantly unconstitutional. Here’s the text:

Be it enacted by the Legislature of the State of Arizona:

Section 1.  Title 13, chapter 14, Arizona Revised Statutes, is amended by adding section 13-1425, to read:

13-1425.  Unlawful distribution of images; state of nudity; classification; definition

A.  It is unlawful to knowingly disclose, display, distribute, publish, advertise or offer a photograph, videotape, film or digital recording or other reproduction of another person in a state of nudity or engaged in a sexual act without obtaining the written consent of the depicted person.

B.  This section does not apply to any of the following:

1.  Lawful and common practices of law enforcement, reporting criminal activity to law enforcement, or when permitted or required by law or rule in legal proceedings.

2.  Medical treatment.

3.  Images involving voluntary exposure in a public or commercial setting.

C.  A violation of this section is a class 5 felony, except that a violation of this section is a class 4 felony if the depicted person is recognizable.

D.  For the purposes of this section, “state of nudity” has the same meaning prescribed in section 11‑811.

Sigh. This is the trouble with some of the draft legislation floating around out there that gets copied and pasted without the intervention of legal analysis. This bill is plainly unconstitutional – it offers no exception for matters of public concern or newsworthiness. Here’s the hypo that shows why it’s DOA: I have an image of Monica Lewinsky and President Bill Clinton engaged in a sex act. I publish it in the newspaper. Can I be prosecuted? Clearly not – it’s a matter of public concern (the President is having an affair with an intern, a government employee), so the First Amendment blocks the prosecution. And the bill’s failsafe (“permitted by law”) isn’t sufficient; rather, it’s lazy drafting – it puts the onus on courts to clean up the legislature’s mess, and to sort out permitted from proscribed speech. That’s not nearly enough; there is a long line of precedent making clear that the legislature must, for due process reasons, provide far more clear notice of what is banned and not, especially where speech is concerned. (See, for example, Reno v. ACLU.) I lay out the challenges of drafting a criminal law that’ll pass First Amendment muster in this post and in my article Exposed. (Just for one example, the legislature ought to read U.S. v. Stevens.)

Arizona passes a lot of unconstitutional laws these days. Revenge porn is a real problem that needs thoughtful solutions. This isn’t one of them. Arizonans deserve better.

Reifying Racism: Real Property as Information Law

On Friday, Carol Rose and Richard Brooks will co-star at a conference at the University of Arizona James E. Rogers College of Law, titled “Saving the Neighborhood,” after their new book. (You can come! Register here.) Rose and Brooks examine the development of legalized racial segregation in housing, the gradual shift to the use of covenants in real property deeds to effectuate restrictions, and the legal battle that culminated in the Supreme Court’s rejection of such devices in Shelley v. Kraemer. Shelley is a casebook standard for both constitutional law and property courses, entangled as it is in questions of state versus private action, alienability of property, and the rise of the civil rights movement. Rose and Brooks, though, tell a much less well-known story: one of subtle signals, game theory, legal formalism, and norm entrepreneurs. The book is gracefully written and eminently readable. It tells a story that is much more complex than the standard 1L accounts of racial covenants. It intrigued me, and in the next few posts, I’ll expound upon why.

Rose and Brooks argue that the legal enforceability of racial covenants was almost beside the point: court battles were rare, and expensive. Rather, racial covenants served as a substitute and a signal. In looser-knit communities (and in ones with higher socio-economic status), racial covenants took the place of informal social pressures – everything from angry glares to deadly violence – that were the standard mechanism for maintaining racial boundaries in poorer communities or ones with closer ties. Racial covenants carried two simultaneous messages. First, and most obviously, they conveyed to potential homebuyers who were of a racial or ethnic minority (principally African-Americans, but also Asian-American and Latino-American ones as well, depending on the location) that they were quite definitely unwelcome. This indicator had real as well as semiotic effects. It was far more difficult for minority purchasers to obtain a home mortgage when reviewing banks saw the covenants, and the legal proscription could demonstrate a willingness to engage in extra-legal pressures as well. The second signal was to neighbors of the restricted property. It reassured them that collective action to maintain segregation remained strong, preventing the risk of panicked selling or white flight when neighbors feared a sudden shift in the area’s racial composition. This is a sophisticated account of the functioning of fairly arcane legal restrictions. (How many homeowners reading this have checked their deeds for restrictions? Supreme Court Justice William Rehnquist didn’t.)

I have two thoughts about the signaling function of racial covenants. The first is that it suggests some internal discomfort, on the part of at least some white homeowners, about their racial attitudes. Racial covenants strike me as a mechanism for psychological distancing from a slightly distasteful / embarrassing prejudice. (Put another way, I would argue that at least some homeowners preferred more covert “polite racism” to the overt pressures of broken windows and burning crosses.) If this is correct, covenants would have two appealing features. First, unlike “Not For Sale” signs or other constant, more salient signals, racially restrictive covenants were invisible until needed. While real property deeds are nearly always recorded, few people bother to check them until there is a need – buying or selling a parcel of property. Thus, white homeowners did not have to reveal themselves as racist until it was economically or socially important to convey that information. And, covenants allowed a sort of outsourcing of blame: the homeowners could claim that it was not they who were preventing neighborhood integration, but rather the law, via the mechanism of the deed to their property. Some homeowners (like Rehnquist) might plausibly claim not to know of the covenants, or even to disagree with them. But, they could argue that it was no longer up to them – the property carried a legal restriction, and they wanted to follow the law. (Put to one side the fact that, like Rehnquist, they could likely extinguish such covenants with a few hours of a lawyer’s time.) I would argue, then, that racial covenants played an important role for white homeowners aside from the practical one of keeping minorities out of their neighborhood: it allowed them to avoid confronting fully the depth and effects of their prejudice.

Second, this signaling function has important implications for utilitarian versus expressivist theories of law. I have always been an instinctive utilitarian: unenforceable laws strike me as useless. (Years ago, Massachusetts attempted to clear a congeries of outdated, unenforceable laws from the statute books, only to run into stiff opposition from segments of the public who still supported those strictures, even while acknowledging they were no longer binding.) Rose and Brooks’s work, though, convinces me the line between the two theories is not nearly so sharp as I had thought. Even legal devices that cannot be enforced in court can still have social effect. While racially restrictive covenants were rarely enforced in court before Shelley, the shadow of the law may have been important. But even after the Supreme Court’s decision, parties continued to write these covenants into deeds. The expressivist utilitarian view is that these were tales told by an idiot, full of sound and fury (at the Court’s decision), signifying nothing (legally). Rose and Brooks, however, argue that these formally defunct restrictions continued to play a role in setting out social norms – they were greatly weakened signals, but signals nonetheless. It took a flat ban under the Fair Housing Act of 1968 to cut off the informational role of covenants. Even afterwards, recorded deeds still served as musty, but functional, data for buyers about what to expect from their new neighbors.

This is real property as information law – tremendously exciting. More to come.

UPDATE (28 Jan 2014, 8:39PM): sorry, switched “expressivist” and “utilitarian” in the last full paragraph. My fault.

Video: Hacking Revenge Porn

The video from the NYC Legal Hackers event on Revenge Porn is now available. Props to Jonathan Askin, Phil Weiss, David Giller, Warren Allen, Mark Jaffe, Lee Rowland, Ari Waldman, and Jeremy Glickman for a fantastic event. And thanks so much to everyone who braved the (blinding, driving) snow to attend! It was wonderful to catch up with so many friends.